Ransomware scum attack old VMWare ESXi vulnerability • The Register

France’s Laptop Emergency Response Crew has issued a Bulletin D’Alerte concerning a marketing campaign to contaminate VMware’s ESXI hypervisor with ransomware.

We get just a little language lesson with this one: France’s CERT describes this as an try to “déployer un rançongiciel,” whereas Italy’s Agenzia per la Cybersicurezza Nazionale – which has additionally warned of the marketing campaign – warns {that a} “rilascio di ransomware” is underneath method.

Neither nation’s infosec authorities supply any details about the supply of the assault, however each word that it goes after CVE-2021-21974 – a 9.1/10 rated bug disclosed and patched virtually two years in the past in February 2021.

CVE-2021-21974 impacts ESXi 7.0, 6.7 and 6.5. The latter two variations exited assist in October 2022.

We’re certain these of you working unsupported and unpatched code have good causes to take action. You now have excellent purpose to alter your habits tout de suite, as a result of ransomware-slingers do not launch campaigns until they see some wealthy targets. And targets do not come a lot richer than ESXi – the naked metallic hypervisor can afford entry to many visitor machines that run apps and retailer information.

Fortunately, the ransomware deployed on this assault is a bit crap. France-based cloud OVH has observed the marketing campaign and believes the encryption generally fails and that information just isn’t exfiltrated. Decryption instruments are additionally already available.

The org has additionally noticed the next indicators of compromise:

• The compromission vector is confirmed to make use of a OpenSLP vulnerability that may be CVE-2021-21974 (nonetheless to be confirmed). The logs really present the consumer dc-ui as concerned within the compromission course of.
• Encryption is utilizing a public key deployed by the malware in /tmp/public.pem
• The encryption course of is particularly focusing on digital machines information (.vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, *.vmem)
• The malware tries to shutdown digital machines by killing the VMX course of to unlock the information. This perform just isn’t systematically working as anticipated, leading to information remaining locked.
• The malware creates argsfile to retailer arguments handed to the encrypt binary (variety of MB to skip, variety of MB in encryption block, file measurement).

The above ought to assist customers to find out if they have been focused by this marketing campaign, and probably contaminated by ransomware.

VMware, in the meantime, warned on February 2 of an Arbitrary file deletion vulnerability in model 17.x of its Workstation desktop hypervisor. CVE-2023-20854 is rated 7.8/10 as “a malicious actor with native consumer privileges on the sufferer’s machine might exploit this vulnerability to delete arbitrary information from the file system of the machine on which Workstation is put in.”

Upgrading to model 17.0.1 knocks it on the top. ®